| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <307a3cb2-64c6-4671-9d50-2bb18d744bc0@arm.com>
Date: Thu, 18 Dec 2025 11:56:58 +0000
From: Ryan Roberts <ryan.roberts@....com>
To: Dev Jain <dev.jain@....com>, Uladzislau Rezki <urezki@...il.com>,
"David Hildenbrand (Red Hat)" <david@...nel.org>,
Lorenzo Stoakes <lorenzo.stoakes@...cle.com>,
Matthew Wilcox <willy@...radead.org>
Cc: linux-mm@...ck.org, Andrew Morton <akpm@...ux-foundation.org>,
Vishal Moola <vishal.moola@...il.com>, Baoquan He <bhe@...hat.com>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/2] mm/vmalloc: Add attempt_larger_order_alloc parameter
+ David, Lorenzo, Matthew
Hoping someone might be able to explain to me how this all really works! :-|
On 18/12/2025 11:53, Ryan Roberts wrote:
> On 18/12/2025 04:55, Dev Jain wrote:
>>
>> On 17/12/25 8:50 pm, Ryan Roberts wrote:
>>> On 17/12/2025 12:02, Uladzislau Rezki wrote:
>>>>> On 16/12/2025 21:19, Uladzislau Rezki (Sony) wrote:
>>>>>> Introduce a module parameter to enable or disable the large-order
>>>>>> allocation path in vmalloc. High-order allocations are disabled by
>>>>>> default so far, but users may explicitly enable them at runtime if
>>>>>> desired.
>>>>>>
>>>>>> High-order pages allocated for vmalloc are immediately split into
>>>>>> order-0 pages and later freed as order-0, which means they do not
>>>>>> feed the per-CPU page caches. As a result, high-order attempts tend
>>>>>> to bypass the PCP fastpath and fall back to the buddy allocator that
>>>>>> can affect performance.
>>>>>>
>>>>>> However, when the PCP caches are empty, high-order allocations may
>>>>>> show better performance characteristics especially for larger
>>>>>> allocation requests.
>>>>> I wonder if a better solution would be "allocate order-0 if available in pcp,
>>>>> else try large order, else fallback to order-0" Could that provide the best of
>>>>> all worlds without needing a configuration knob?
>>>>>
>>>> I am not sure, to me it looks like a bit odd.
>>> Perhaps it would feel better if it was generalized to "first try allocation from
>>> PCP list, highest to lowest order, then try allocation from the buddy, highest
>>> to lowest order"?
>>>
>>>> Ideally it would be
>>>> good just free it as high-order page and not order-0 peaces.
>>> Yeah perhaps that's better. How about something like this (very lightly tested
>>> and no performance results yet):
>>>
>>> (And I should admit I'm not 100% sure it is safe to call free_frozen_pages()
>>> with a contiguous run of order-0 pages, but I'm not seeing any warnings or
>>> memory leaks when running mm selftests...)
>>
>> Wow I wasn't aware that we can do this. I see that free_hotplug_page_range() in
>> arm64/mmu.c already does this - it computes order from size and passes it to
>> __free_pages().
>
> Hmm that looks dodgy to me. But I'm not sure I actually understand what is going
> on...
>
> Prior to looking at this yesterday, my understanding was this: At the struct
> page level, you can either allocate compond or non-compound. order-0 is
> non-compound by definition. A high-order non-compound page is just a contiguous
> set of order-0 pages, each with individual reference counts and other meta data.
> A compound page is one where all the pages are tied together and managed as one
> - the meta data is stored in the head page and all the tail pages point to the
> head (this concept is wrapped by struct folio).
>
> But after looking through the comments in page_alloc.c, it would seem that a
> non-compound high-order page is NOT just a set of order-0 pages, but they still
> share some meta data, including a shared refcount?? alloc_pages() will return
> one of these things, and __free_pages() requires the exact same unit to be
> provided to it.
>
> vmalloc calls alloc_pages() to get a non-compound high-order page, then calls
> split_page() to convert to a set of order-0 pages. See this comment:
>
> /*
> * split_page takes a non-compound higher-order page, and splits it into
> * n (1<<order) sub-pages: page[0..n]
> * Each sub-page must be freed individually.
> *
> * Note: this is probably too low level an operation for use in drivers.
> * Please consult with lkml before using this in your driver.
> */
> void split_page(struct page *page, unsigned int order)
>
> So just passing all the order-0 pages directly to __free_pages() in one go is
> definitely not the right thing to do ("Each sub-page must be freed
> individually"). They may have different reference counts so you can only
> actually free the ones that go to zero surely?
>
> But it looked to me like free_frozen_pages() just wants a naturally aligned
> power-of-2 number of pages to free, so my patch below is decrementing the
> refcount on each struct page and accumulating the ones where the refcounts goto
> zero into suitable blocks for free_frozen_pages().
>
> So I *think* my patch is correct, but I'm not totally sure.
>
> Then we have the ___free_pages(), which I find very difficult to understand:
>
> static void ___free_pages(struct page *page, unsigned int order,
> fpi_t fpi_flags)
> {
> /* get PageHead before we drop reference */
> int head = PageHead(page);
> /* get alloc tag in case the page is released by others */
> struct alloc_tag *tag = pgalloc_tag_get(page);
>
> if (put_page_testzero(page))
> __free_frozen_pages(page, order, fpi_flags);
>
> We only test the refcount for the first page, then free all the pages. So that
> implies that non-compound high-order pages share a single refcount? Or we just
> ignore the refcount of all the other pages in a non-compound high-order page?
>
> else if (!head) {
>
> What? If the first page still has references but but it's a non-compond
> high-order page (i.e. no head page) then we free all the trailing sub-pages
> without caring about their references?
>
> pgalloc_tag_sub_pages(tag, (1 << order) - 1);
> while (order-- > 0) {
> /*
> * The "tail" pages of this non-compound high-order
> * page will have no code tags, so to avoid warnings
> * mark them as empty.
> */
> clear_page_tag_ref(page + (1 << order));
> __free_frozen_pages(page + (1 << order), order,
> fpi_flags);
> }
> }
> }
>
> For the arm64 case that you point out, surely __free_pages() is the wrong thing
> to call, because it's going to decrement the refcount. But we are freeing based
> on their presence in the pagetable and we never took a reference in the first place.
>
> HELP!
>
>>
>>>
>>> ---8<---
>>> commit caa3e5eb5bfade81a32fa62d1a8924df1eb0f619
>>> Author: Ryan Roberts <ryan.roberts@....com>
>>> Date: Wed Dec 17 15:11:08 2025 +0000
>>>
>>> WIP
>>>
>>> Signed-off-by: Ryan Roberts <ryan.roberts@....com>
>>>
>>> diff --git a/include/linux/gfp.h b/include/linux/gfp.h
>>> index b155929af5b1..d25f5b867e6b 100644
>>> --- a/include/linux/gfp.h
>>> +++ b/include/linux/gfp.h
>>> @@ -383,6 +383,8 @@ extern void __free_pages(struct page *page, unsigned int order);
>>> extern void free_pages_nolock(struct page *page, unsigned int order);
>>> extern void free_pages(unsigned long addr, unsigned int order);
>>>
>>> +void free_pages_bulk(struct page *page, int nr_pages);
>>> +
>>> #define __free_page(page) __free_pages((page), 0)
>>> #define free_page(addr) free_pages((addr), 0)
>>>
>>> diff --git a/mm/page_alloc.c b/mm/page_alloc.c
>>> index 822e05f1a964..5f11224cf353 100644
>>> --- a/mm/page_alloc.c
>>> +++ b/mm/page_alloc.c
>>> @@ -5304,6 +5304,48 @@ static void ___free_pages(struct page *page, unsigned int
>>> order,
>>> }
>>> }
>>>
>>> +static void free_frozen_pages_bulk(struct page *page, int nr_pages)
>>> +{
>>> + while (nr_pages) {
>>> + unsigned int fit_order, align_order, order;
>>> + unsigned long pfn;
>>> +
>>> + pfn = page_to_pfn(page);
>>> + fit_order = ilog2(nr_pages);
>>> + align_order = pfn ? __ffs(pfn) : fit_order;
>>> + order = min3(fit_order, align_order, MAX_PAGE_ORDER);
>>> +
>>> + free_frozen_pages(page, order);
>>> +
>>> + page += 1U << order;
>>> + nr_pages -= 1U << order;
>>> + }
>>> +}
>>> +
>>> +void free_pages_bulk(struct page *page, int nr_pages)
>>> +{
>>> + struct page *start = NULL;
>>> + bool can_free;
>>> + int i;
>>> +
>>> + for (i = 0; i < nr_pages; i++, page++) {
>>> + VM_BUG_ON_PAGE(PageHead(page), page);
>>> + VM_BUG_ON_PAGE(PageTail(page), page);
>>> +
>>> + can_free = put_page_testzero(page);
>>> +
>>> + if (!can_free && start) {
>>> + free_frozen_pages_bulk(start, page - start);
>>> + start = NULL;
>>> + } else if (can_free && !start) {
>>> + start = page;
>>> + }
>>> + }
>>> +
>>> + if (start)
>>> + free_frozen_pages_bulk(start, page - start);
>>> +}
>>> +
>>> /**
>>> * __free_pages - Free pages allocated with alloc_pages().
>>> * @page: The page pointer returned from alloc_pages().
>>> diff --git a/mm/vmalloc.c b/mm/vmalloc.c
>>> index ecbac900c35f..8f782bac1ece 100644
>>> --- a/mm/vmalloc.c
>>> +++ b/mm/vmalloc.c
>>> @@ -3429,7 +3429,8 @@ void vfree_atomic(const void *addr)
>>> void vfree(const void *addr)
>>> {
>>> struct vm_struct *vm;
>>> - int i;
>>> + struct page *start;
>>> + int i, nr;
>>>
>>> if (unlikely(in_interrupt())) {
>>> vfree_atomic(addr);
>>> @@ -3455,17 +3456,26 @@ void vfree(const void *addr)
>>> /* All pages of vm should be charged to same memcg, so use first one. */
>>> if (vm->nr_pages && !(vm->flags & VM_MAP_PUT_PAGES))
>>> mod_memcg_page_state(vm->pages[0], MEMCG_VMALLOC, -vm->nr_pages);
>>> - for (i = 0; i < vm->nr_pages; i++) {
>>> +
>>> + start = vm->pages[0];
>>> + BUG_ON(!start);
>>> + nr = 1;
>>> + for (i = 1; i < vm->nr_pages; i++) {
>>> struct page *page = vm->pages[i];
>>>
>>> BUG_ON(!page);
>>> - /*
>>> - * High-order allocs for huge vmallocs are split, so
>>> - * can be freed as an array of order-0 allocations
>>> - */
>>> - __free_page(page);
>>> - cond_resched();
>>> +
>>> + if (start + nr != page) {
>>> + free_pages_bulk(start, nr);
>>> + start = page;
>>> + nr = 1;
>>> + cond_resched();
>>> + } else {
>>> + nr++;
>>> + }
>>> }
>>> + free_pages_bulk(start, nr);
>>> +
>>> if (!(vm->flags & VM_MAP_PUT_PAGES))
>>> atomic_long_sub(vm->nr_pages, &nr_vmalloc_pages);
>>> kvfree(vm->pages);
>>> ---8<---
>>>
>>>>>> Since the best strategy is workload-dependent, this patch adds a
>>>>>> parameter letting users to choose whether vmalloc should try
>>>>>> high-order allocations or stay strictly on the order-0 fastpath.
>>>>>>
>>>>>> Signed-off-by: Uladzislau Rezki (Sony) <urezki@...il.com>
>>>>>> ---
>>>>>> mm/vmalloc.c | 9 +++++++--
>>>>>> 1 file changed, 7 insertions(+), 2 deletions(-)
>>>>>>
>>>>>> diff --git a/mm/vmalloc.c b/mm/vmalloc.c
>>>>>> index d3a4725e15ca..f66543896b16 100644
>>>>>> --- a/mm/vmalloc.c
>>>>>> +++ b/mm/vmalloc.c
>>>>>> @@ -43,6 +43,7 @@
>>>>>> #include <asm/tlbflush.h>
>>>>>> #include <asm/shmparam.h>
>>>>>> #include <linux/page_owner.h>
>>>>>> +#include <linux/moduleparam.h>
>>>>>>
>>>>>> #define CREATE_TRACE_POINTS
>>>>>> #include <trace/events/vmalloc.h>
>>>>>> @@ -3671,6 +3672,9 @@ vm_area_alloc_pages_large_order(gfp_t gfp, int nid, unsigned int order,
>>>>>> return nr_allocated;
>>>>>> }
>>>>>>
>>>>>> +static int attempt_larger_order_alloc;
>>>>>> +module_param(attempt_larger_order_alloc, int, 0644);
>>>>> Would this be better as a bool? Docs say that you can then specify 0/1, y/n or
>>>>> Y/N as the value; that's probably more intuitive?
>>>>>
>>>>> nit: I'd favour a shorter name. Perhaps large_order_alloc?
>>>>>
>>>> Thanks! We can switch to bool and use shorter name for sure.
>>>>
>>>> --
>>>> Uladzislau Rezki
>
Powered by blists - more mailing lists